The Internet Security Alliance (ISA), made up of IT vendors and customers, has called on the US government to explore new incentives for companies to invest in cybersecurity instead of focusing on regulation.
The ISA wants the US government to abandon old regulatory approaches in favour of incentives such as cybersecurity insurance, awards programmes and caps on legal liability for companies that adopt cybersecurity best practices.
The ISA criticised legislation that requires the US government to create cybersecurity standards. An example of this is the Improving America’s Security Act (IASA), which was passed by the US Senate in mid-March. The IASA authorises the US Department of Homeland Security to develop standardisation and certification programmes for US critical infrastructure, inlcuding the internet.
Larry Clinton, president of the ISA, said: "That approach will not work ... due to factors within the internet itself. The internet is inherently international, it changes much too quickly, and it's under constant attack."
Cliton added the US government instead, should encourage companies to invest in cybersecurity and adopt best practices already outlined by a number of private organisations. He suggested that incentives that reduced costs would help remove the cost centre label that cybersecurity has gained. "Government regulations can't keep up with internet threats, but the profit motive can."
Other suggestions from the ISA include:
- Companies following best practices should be able to buy additional insurance for cybersecurity-related events. Some companies have deferred investments in cybersecurity because they are concerned that they are not protected from liability.
- The US government should limit legal liability for companies following best practices.
- US government agencies should set cybersecurity standards in its procurement practices, creating new business opportunities for companies that follow best practices.
- The US government should establish an awards programme recognising companies with strong cybersecurity programmes.
The ISA is a collaboration of the Electronic Industries Alliance and Carnegie Mellon's CyLab and works closely with the CERT Coordination Centre. ISA helps organisations in several industries develop best practices in internet security.